Appendix 1

ISO 27001 Statement of Applicability

ISO27001: ISO27001: Section / Title SPF Ref. Progress Evidence Responsibility Recommendations / Actions Document name / location
2005 Ref. 2013 ref v10 (new)
A.5 SECURITY POLICY
A.5.1 Information security policy
MR 4
A.5.1.1 Information security policy document Complete Information Security Policy InfoSec Mgr. No action Information Security Policy
MR 6

MR 4 Document contained in the Corporate Document Centre

A.5.1.2 Review of the information security policy Complete Information Security Policy InfoSec Mgr. Yearly review
MR 6 (CDC).
A.6 ORGANISATIONAL AND INFORMATION SECURITY
A.6.1 Internal organisation
MR 1 Information Security Manager in post. The acceptance of implementing an Ensure regular feedback to CLT via line manage and PSWG on
Corporate Leadership
A.6.1.1 Management commitment to information security MR 2 Complete Information Security Management System (ISMS) at board level. Documented implemented controls and further work needed to progress Statement of Applicability / PSWG SharePoint site.
Team (Chief Fire Officer)
MR 3 in minutes of CLT meeting. Information Security.

Protective Security Working Group established and a project

Information Security Manager in place.
A.6.1.2 Information security co-ordination MR 1 Complete InfoSec Mgr. to commenced to deal with the requirements of the
Protective Security Working Group set-up.
Government Protective Security Strategy and Framework

MR 1 Allocation of Information Security responsibilities are outlined Information Security Manager Job Description and
A.6.1.3 Allocation of information security responsibilities Complete Information Security Manager in place. InfoSec Mgr.
MR 6 in the Statement of Applicability. responsibilities.

Authorisation will be from head of Corporate Planning and Intelligence Head of Corporate
A.6.1.4 Authorisation process for information MR 8 Complete Change management process and sign off by Head of CPI
Directorate and LT authorisation if applicable. Planning & Intelligence

Confirm with all Directorates that they have either their own
Employees required to adhere to confidentially requirements through
MR 9 document or abide by the contract and terms of reference
published policies.
A.6.1.5 Confidentiality agreements MR 10 Complete InfoSec Mgr. offered to the third party.
Confidentiality is standard clause for all company employees within their
MR 11 Documents will need to be entered into the CDC - not
employment contract and third party agreements.
currently catalogued properly.

a. Relevant contacts are in-place with authorities - specific to each directorate.

MR 12
A.6.1.6 Contact with authorities Complete b. Security Incident procedures are in-place for contact with Internal audit InfoSec Mgr.
MR 13
team and the ICO.

a. iNetworks Knowledge Hub and NWARP (North West Warning, Advice and
Ensure that the ISM attends these quarterly meetings and
A.6.1.7 Contact with special interest groups Complete Reporting Point). InfoSec Mgr.
pursues contact with other Fire Services.
b. Regular communications with fire services and NWFC collaboration project.

Security consultancy - ECSC - review Jan 2012 and Aristi May 2013.
Regular, on-going audits with Wigan Council Internal Audit
A.6.1.8 Independent review of information security MR 8 Complete Recent vulnerability test took place on the internal network, wireless network InfoSec Mgr.
Department and Audit Commission.
and Mobile Data Terminals.

A.6.2 External parties

a. Risks relating to third parties are to be added to the Risk Assessment Risk Each Directorate - On-going - Risk assessments to be undertaken and
A.6.2.1 Identification of risks related to external parties MR 11 Partial Register & Potential New Risks to be raised. Directorate Risk Register
b. Ensure that a list of external parties is kept up-to-date. SIRO - Produce a list of all external parties and review regularly

A process is needed to record access by third parties.

MR 6
A.6.2.2 Addressing security when dealing with customers Partial Risks relating to customers are to be added to the Risk Assessment. Each Directorate Possible SharePoint site needed for recording access from Directorate Risk Register
MR 10
external parties.

A.6.2.3 Addressing security in third party agreements MR 11 Complete Confidentiality and DPA is covered in standard contracts Service Solicitor Service Solicitor will keep this process up-to-date. Where is this recorded ?

A.7 ASSET MANAGEMENT

A.7.1 Responsibility for assets

Reports can be produced from the ICT SupportWorks system

Asset Inventory held in SupportWorks, the ICT asset management / support
A.7.1.1 Inventory of assets MR 7 Partial ICT It is not however retrospective and there is no proven SupportWorks
desk system
accuracy to historical data. This needs to be addressed.

a. Reports can be produced from the ICT SupportWorks

a. Asset Inventory identifies user of equipment. ICT
system
A.7.1.2 Ownership of assets MR 2 Partial b. Work is still being undertaken on identifying the Information Asset & SupportWorks
b. Produce an information Asset Register and train up Asset
Owners. InfoSec Manager
Owners.

A.7.1.3 Acceptable use of assets MR 3 Complete Acceptable Use Policy InfoSec Manager Keep policy up-to-date on yearly review process. Acceptable Use Policy

A.7.2 Information classification

Corporate Planning and Project to be initiated for this control, timescale not defined
A.7.2.1 Classification guidelines MR 7 Incomplete Classification Scheme is not yet implemented.
Intelligence Dir. yet
 Corporate Planning and Project to be initiated for this control, timescale not defined
A.7.2.2 Information labelling and handling MR 7 Incomplete No Protective Marking scheme yet implemented.
Intelligence Dir. yet
A.8 HUMAN RESOURCES SECURITY
A.8.1 Prior to employment

People & Organisational HR document / policy review process. To be included in the

A.8.1.1 Roles and responsibilities MR 1 Complete Roles for all employees are defined, including Information Security Manager.
Development Corporate Document Centre.

All employees are screened for references, medical status, and where
MR 13 People & Organisational HR document / policy review process. To be included in the
A.8.1.2 Screening Complete appropriate CRB.
MR 14 Development Corporate Document Centre.
Agency contract staff are not screened internally.

People & Organisational HR document / policy review process. To be included in the

A.8.1.3 Terms and conditions of employment MR 11 Complete All employees are required to sign T&Cs
Development Corporate Document Centre.
A.8.2 During employment
Employees required to adhere to confidentiality requirements through People & Organisational
A.8.2.1 Management responsibilities MR 2 Complete Awareness of HR and Information security policies needed.
published policies. Development

Training records are maintained for all employees by POD.

A training structure is needed for Information Security
Formal Information Security Training not yet implemented. The Cabinet Office
A.8.2.2 Information security awareness, education and training MR 3 Partial ICT awareness and Data Protection awareness. ICT to assess and
Awareness training modules are available but not yet implemented on GMFRS
implement the modules.
ICT systems.

People & Organisational

A.8.2.3 Disciplinary process MR 12 Complete Procedures and policies are in-place This process is included in HR and InfoSec Policies.
Development
A.8.3 Termination or change of employment
- Procedures should be defined to back up the process.
HR register leavers within POD iTrent system, which generates emails for the People & Organisational
A.8.3.1 Termination responsibilities Complete - Records should be kept and communication should be
Line Manager and ICT. Development / ICT
frequent between ICT and HR.

Line Manager is responsible for retrieving assets from leaver, as recorded in People & Organisational These should be kept up-to-date in the ICT SupportWorks
A.8.3.2 Return of assets Complete
Asset Register. Development / ICT system.

ICT Service Desk and Infrastructure team action account disabling and
A.8.3.3 Removal of access rights Complete ICT Documented procedures needed
archiving for leavers.
A.9 PHYSICAL AND ENVIRONMENTAL SECURITY
A.9.1 Secure areas
Finance and Technical - CCTV procedures needed.
A.9.1.1 Physical security perimeter MR 18 Complete Perimeter is protected by gates, CCTV, and 24hr security guard on reception.
Services - Site Security audit to be completed

Visitors are required to sign in. Staff and visitors have badges. Fobs required Finance and Technical
A.9.1.2 Physical entry controls MR 18 Complete Documentation / Procedures needed
for access to specific areas. Services

Entrance beyond reception requires fob access. Access is restricted in specific

areas. Finance and Technical
A.9.1.3 Securing offices, rooms and facilities MR 17 Complete Documentation / Procedures needed
ICT and Finance departments are fob-controlled over-night. Services
Door-control system carries some risks – see Risk Assessment.
Finance and Technical
A.9.1.4 Protecting against external and environmental threats MR 18 Complete Environment is protected for smoke and fire. Documentation / Procedures needed
Services
Finance and Technical Door notice and log book will need to be reviewed and
A.9.1.5 Working in secure areas MR 18 Complete FSHQ Comms Rooms have secure entry procedures posted on doors.
Services updated if necessary on a yearly basis.

Finance and Technical

A.9.1.6 Public access, delivery and loading areas MR 18 Complete Deliveries restricted to reception and controlled by security. Documentation / Procedures needed
Services
A.9.2 Equipment security

Data Centre has restricted access, and protection against fire, smoke and
A.9.2.1 Equipment siting and protection MR 17 Complete ICT Documentation / Procedures needed
unauthorised access. Visitors to data centre must also sign-in.

A.9.2.2 Supporting utilities Complete Data Centre supported by UPS and cooling services. ICT Documentation / Procedures needed

Cabling is confined in trays, in structured cabling with walls/floors, or in patch

A.9.2.3 Cabling security Complete ICT Documentation / Procedures needed
cabinets.

Equipment list should be held by the Estates Dept and the ICT Service Desk.
A.9.2.4 Equipment maintenance Partial This will be the asset register. All maintenance schedule should be held by ICT Documentation / Procedures needed
these departments.

A.9.2.5 Security of equipment off- premises MR 9 Partial ################################################################ ICT Documentation / Procedures needed

- If PCs are to be disposed or sold to third party reseller, ICT format all PC HDs PCs and Laptops are under this process. Printers and MFDs
with BLANCO - government specification formatting application. (Multi Function Devices) are under a contract with RICHO.
A.9.2.6 Secure disposal or re- use of equipment MR 9 Partial ICT
- Contract for the disposal company is up for renewal, this has yet to be signed Mobile phones need to be included in this clause. CCTV
off (Sept 13) procedures to be identified.

Policy in place but no technical controls have been

A.9.2.7 Removal of property MR 9 Partial Removable Media and Mobile Device policy ICT Removable Media and Mobile Device Policy
implemented.
A.10 COMMUNICATIONS AND OPERATIONS MANAGEMENT
A.10.1 Operational procedures and responsibilities
 Not all operating procedures are documented or in a format to
store centrally. This is being addressed with the Document
A.10.1.1 Documented operating procedures MR 10 Partial Some documented operating procedures ICT
Management System project and awareness training from the
ISM.

RFC process managed by ICT Service Desk Manager (Change Manager) and CAB
All project that have an ICT involvement should follow this
A.10.1.2 Change management MR 8 Partial meetings. ICT
process, but it is not currently the way
Not all changes are included in process – see Risk Assessment

This will need to be assessed in relation to systems that store

Rather than have segregation of duties, staff are trained in accordance with
Information Security sensitive information and personally identifiable information.
A.10.1.3 Segregation of duties MR 8 Incomplete Data Protection guidelines and their obligations under their employment
Manager / ICT Personnel with extended ICT system access will need to be
terms and conditions.
assed for segregation of duties.

ICT staff have designated roles. Access privileges are assigned dependent upon People & Organisational Refer to the job descriptions and role requirements and
A.10.1.4 Separation of development, test and operational facilities MR 8 Partial
their job requirements. Development / ICT departmental operating procedures.

A.10.2 Third party service delivery management

- A register of all SLAs with third party suppliers is needed. At

present, Directorate Managers are in possession of these SLAs
A.10.2.1 Service delivery MR 11 Complete Critical Suppliers are subject to SLAs, including C&W, Daisy ICT
and there is no organisational wide register.
- Documentation and Register needed

Regular Reports and service reviews for critical suppliers, including C&W,
A.10.2.2 Monitoring and review of third party services MR 11 Complete ICT Documentation / Procedures needed
Daisy.

Changes to Firewall configuration managed through Daisy change control.

A.10.2.3 Managing changes to third party services MR 11 Complete ICT Documentation / Procedures needed
Other supplier changes managed through internal RFC change process.

A.10.3 System planning and acceptance

Network capacity monitored through Solarwinds, and contracted to Intrinsic.
A.10.3.1 Capacity management MR 8 Complete RFCs include requirement to identify capacity requirements for changes / ICT Documentation / Procedures needed
installations.

A.10.3.2 System acceptance MR 8 Incomplete No formal Post Implementation Review (PIR) process in place. ICT Implement a Post Implementation Review

A.10.4 Protection against malicious and mobile code

- Review needed on the administration and support of these
MR 9 Antivirus installed on desktops, laptops and servers. solutions. Document contained in the Corporate Document Centre
A.10.4.1 Controls against malicious code Complete ICT
(GPG 7) (CESG GPG 7: Protection from Malicious Code) - Documentation / Procedures needed (CDC).
- Patching Policy and Mobile Code Policy needed
- Review needed on the administration and support of these
MR 9 solutions. Document contained in the Corporate Document Centre
A.10.4.2 Controls against mobile code Complete Antivirus installed on desktops, laptops and servers. ICT
(GPG 7) - Documentation / Procedures needed (CDC).
- Patching Policy and Mobile Code Policy needed
A.10.5 Back-up

- Documentation of back-up process needed and procedures.

- Back-up of servers is in operation. - List of all data that is backed-up and retention periods is
A.10.5.1 Information back-up MR 4 Partial ICT
- Off site back-up to Business Continuity site - Stretford Fire Station. needed.
- Schedule for the testing of backups is needed.

A.10.6 Network security management

Networks managed by dedicated ICT team.

A.10.6.1 Network controls MR 8 Partial ICT Change control process and procedures need to be confirmed.
Changes to the Network may be un-planned or outside ICT controls.

- Contracts in-place with third parties for maintenance;

contracts need to be entered into the CDC.
ICT approve changes to network security but third party is in control of the
A.10.6.2 Security of network services MR 9 Partial ICT - Network security changes will be approved by ICT
firewall and a number of systems on
management and logged in the Support Works system.
- Procedures needed for all these processes

A.10.7 Media handling

- Policy on Removable Media and Mobile Devices published.
A.10.7.1 Network controls MR 8 Partial - There is no 'complete' technical control over removable media at this time ICT Implement an end point security solution. Removable Media and Mobile Device Policy
(Sept. 13)

- Contract in-place for paper waste disposal with Shred-it.

A.10.7.2 Security of network services MR 9 Complete Contract/Agreement for Waste Disposal ICT - Agreement in-place for computer waste (hardware,
peripherals and cabling) with Computer Waste Ltd

Information Security Policies are in-place but the technical controls need to be
A.10.7.3 Network controls MR 8 Partial ICT Procedures needed for administering network access controls.
reviewed

Corporate Planning and Information Management Strategy has been produced and the
A.10.7.4 Security of network services MR 7 Incomplete Document Management System is in development
Intelligence Dir. document management project is underway.
A.10.8 Exchanges of information
Data Sharing Group set-up. No central repository of data sharing agreements Data Sharing Group / The group meets every two months and TOR and minutes
A.10.8.1 Information exchange policies and procedures MR 9 Partial has been produced. Information Security produced. The ISM is in the process of producing a GMFRS
Partnership Agreements are being implemented. Manager Data Sharing Agreement.
 Central repository of agreements needed as they are currently held within the Corporate Planning and Organise the collation of all data sharing agreement needed
A.10.8.2 Exchange agreements MR 9 Partial
directorate that signs the agreement. Intelligence Dir. within the CDC

Organisational awareness needed for the policy.

Removable Media and Mobile Device policy is in-place but technical controls Information Security
A.10.8.3 Physical media in transit MR 7 Partial Information Asset owners need training on transferring
need reviewing. Manager
physical media.

A.10.8.4 Electronic messaging MR 7 Partial Acceptable Use Policy is in-place but technical controls need reviewing. ICT ISM to advise ICT on appropriate technical controls.

Policy on connection with partners including Wigan MBC and NW RCC, not yet Confirmation of the systems required before we can confirm
A.10.8.5 Business information systems MR 9 Incomplete ICT
defined. any contracts for SLAs in-place. ICT to supply the information.

A.10.9 Electronic commerce services

A.10.9.1 Electronic commerce N/A No online payment processing. N/A

A.10.9.2 On-line transactions N/A No online transaction processing. N/A

Website managed externally by Daisy (previously 2E2) with restricted access,

A.10.9.3 Publicly available systems Complete ICT Need to supply evidence of the contract.
under SLA and contract.
A.10.10.1 10.1 Monitoring

Windows domain event logging to Log Rhythm system.

MR 9 Information Security Need to set-up review schedules for auditing.
A.10.10.1 Audit logging Complete Other servers and network devices not currently logged.
(GPG 13) Manager
ICT implement SolarWinds and other logging systems.

Alerting and ad-hoc reporting from Log Rhythm on privileged account

MR 9 Information Security
A.10.10.2 Monitoring system use Partial password changes, VPN access and large volume password changes. Documentation and scheduling needed.
(GPG 13) Manager
Documented procedures not yet in place.

MR 9
A.10.10.3 Protection of log information Complete Access to Log Rhythm system is restricted to authorised users. ICT Procedures needed.
(GPG 13)

MR 9
A.10.10.4 Administrator and operator logs Complete Admin and operator access is included in Windows event logs. ICT Procedures needed.
(GPG 13)

MR 9 User and system fault reports and Service Desk actions are recording in
A.10.10.5 Fault logging Complete ICT Procedures needed.
(GPG 13) Support Works.

MR 9 System automatically picks up clock synchronisation from Windows registered

A.10.10.6 Clock synchronisation Complete ICT Documentation needed.
(GPG 13) account.
A.11 ACCESS CONTROL
A.11.1 Business requirement for access control

Information Security
A.11.1.1 Access control policy MR 10 Complete Access Control Policy produced. Access Control Policy
Manager

A.11.2 User access management

New starters are added to AD by Service Desk following automatic notification

MR 9 from HR/Payroll System. People & Organisational
A.11.2.1 User registration Complete Documentation / Procedures needed
MR 10 Removal of users through same channel, but ticket passes to Infrastructure Development / ICT
team to archive data and remove account.

Users are assigned departmental shares via Group Membership and deployed
MR 9 People & Organisational
A.11.2.2 Privilege management Complete via login script. Additional share access is managed through ACLs and Groups, Documentation / Procedures needed
MR 10 Development / ICT
which are added to user as authorised by share owner.

MR 9 Information Security
A.11.2.3 User password management Complete Password Guidance document. Password Guidance
MR 10 Manager

There is potential for users to retain inappropriate group

membership when moving roles, and fob access to restricted
MR 9 Information Security
A.11.2.4 Review of user access rights Incomplete No review of user rights. areas.
MR 10 Manager / ICT
The standard requires access reviews for all systems on a
periodic, e.g. annual, basis.

A.11.3 User responsibilities

Information Security
A.11.3.1 Password use MR 10 Complete Induction process advises that all staff read the Information Security Policies. Annual review of policies and awareness training.
Manager

Clear Desk and Screen Policy. 10 minute screensaver enforced by AD Group Information Security
A.11.3.2 Unattended user equipment MR 10 Complete New staff are advised of policies in the induction process
Policy. Manager

MR 7 Information Security
A.11.3.3 Clear desk and clear screen policy Complete Clear Desk and Screen Policy. Awareness training needs to be implemented.
MR 10 Manager
A.11.4 11.4 Network access control
MR 7 Access control policy documented. ICT have process for assigning access
A.11.4.1 Policy on use of network services Complete ICT Access Control Policy
MR 9 privileges and recorded in the SupportWorks system.

1. External users over the internet have VPN access with Vasco 2-factor Administration documentation needed and yearly review
A.11.4.2 User authentication for external connections MR 9 Complete ICT
authentication. schedule needed.

1. Internal wired network has Network Access Control (ForeScout) for device
identification or authentication. Administration documentation needed and yearly review
A.11.4.3 Equipment identification in the network MR 9 Complete ICT
2. Internal wireless networks are restricted by MAC address authentication, schedule needed.
WPA2/PSK security.
 Network Access Control system needs to be fully implemented
A.11.4.4 Remote diagnostic and configuration port protection MR 9 Complete All network devices in secure comms rooms. ICT
and reports to be reviewed regularly.

A.11.4.5 Segregation in networks MR 9 Complete Networks are segmented through routers and layer3 switches. ICT

Change Control process needs to be followed and properly

documented.
A.11.4.6 Network connection control MR 9 Partial ################################################################ ICT
Documentation / Procedures needed

All routing managed by internal team for local and wide area networks. Intrinsic (third party) SLA and Documentation needed … to be
A.11.4.7 Network routing control MR 9 Complete ICT
Connection to the internet managed by third party under SLA. entered into the CDC.

A.11.5 Operating system access control

Active Directory controls in-place. Domain Admin and priviledege access The procedure needs to be documented and a review
A.11.5.1 Secure log-on procedure MR 9 Complete ICT
logons are requested via SupportWorks and authorised by ICT Manager. schedule set-up
Users have unique Ids, but some historic use of shared Ids, which are still The procedure needs to be documented and a review
A.11.5.2 User identification and authentication MR 9 Partial ICT
active. schedule set-up

This is in-place but it may be advisable to set the lock out procedure - Three
A.11.5.3 Password management system MR 9 Complete ICT Advse ICT on the reasoning for the lock out process.
wrong passwords and lock out for 5 mins

The procedure needs to be documented and a review

A.11.5.4 Use of system utilities MR 9 Complete Domain Administration is restricted to Infrastructure and Service Desk teams. ICT
schedule set-up
The procedure needs to be documented and a review
A.11.5.5 Session time-out MR 9 Complete 10 minute screen saver implemented on all systems. ICT
schedule set-up
There are limitations on connection time but this needs to be explored for ICT to audit all systems and assess the need to impose time
A.11.5.6 Limitation of connection time MR 9 Partial ICT
individual systems limitations on access.
A.11.6 Application and information access control
Information Asset review ids needed before allocation of
Information Security access controls can be assigned.
A.11.6.1 Information access restriction MR 9 Incomplete Information Asset Owner review currently being undertaken.
Manager / ICT Information Security Manager to assess Information Assets
owners and ICT to implement controls

Project is already in-progress. Refer to the relevant CRMS

A.11.6.2 Sensitive system isolation MR 7 Incomplete Systems are in development (CRMS) that would hold sensitive information. CPI / ICT
project.

A.11.7 11.7 Mobile computing and teleworking

These policies need to be reviewed. The Information

Removable Media and Mobile Device policy in-place but there is no
A.11.7.1 Mobile computing and communications MR 9 Partial CPI / ICT Management project will investigate how GMFRS staff will Removable Media and Mobile Device Policy
Teleworking or home working policy.
access and use information in the future. Project on-going

If this is to be progressed, then a project around home

Removable Media and Mobile Device policy in-place but there is no
A.11.7.2 Teleworking MR 9 Incomplete POD / CPI / ICT working needs to be created. This would involve ICT, POD and
Teleworking or home working policy.
CPI.

A.12 INFORMATION SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE

A.12.1 Security requirements of information systems

Where raised, RFCs include requirement to specify security controls. Change Management process needs to be properly
A.12.1.1 Security requirements analysis and specification MR 16 Partial ICT
Many changes are implemented without RFCs. implemented within the organisation.
A.12.2 Correct processing in applications
A.12.2.1 Input data validation Incomplete text to be completed ... ICT
A.12.2.2 Control on internal processing Incomplete text to be completed ... ICT
A.12.2.3 Message integrity Incomplete text to be completed ... ICT
A.12.2.4 Output data validation Incomplete text to be completed ... ICT
A.12.3 Cryptographic controls

MR 9 BitLocker is deployed to all GMFRS PC laptops. There is key encryption but no

A.12.3.1 Policy on the use of cryptographic controls Partial ICT Specify the process of storing encryption keys for BitLocker.
(HMG IAS 4) documented proof of segregation of server and access controls.

MR 9
A.12.3.2 Key management Partial Key management is in-place but needs to be documented ICT Documentation of procedures needed.
(HMG IAS 4)
A.12.4 Security of system files
A.12.4.1 Control of operational software MR 9 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.

A.12.4.2 Protection of system MR 9 incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.4.3 Access control to program source code MR 9 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.5 Security in development and support processes
Formal RFC and CAB process managed through SupportWorks.
A.12.5.1 Change control procedures MR 8 Partial ICT Review of controls and documentation needed.
Not enforced for all changes.

A.12.5.2 Technical review of applications after operating system changes MR 8 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.

A.12.5.3 Restrictions on changes to software packages MR 8 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.5.4 Information leakage MR 7 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.5.5 Outsourced software development MR 9 Incomplete No documented process or procedures in-place. ICT Review of controls and documentation needed.
A.12.6 Technical vulnerability management

Desktops and laptops are managed for Microsoft updates via WSUS.
A.12.6.1 Control of technical vulnerabilities MR 8 Partial Servers are only patched at installation, to prevent conflict with applications. ICT A patch management solution and policy to be introduced
Non-Microsoft product patches are only updated when upgraded.

A.13.1 INFORMATION SECURITY INCIDENT MANAGEMENT

A.13.1 Reporting information security events and weaknesses
Policy has been updated.
Incident Policy. Incidents are recorded in Secure Works, for ICT events. Other Information Security
A.13.1.1 Reporting information security events MR 12 Complete The Service Desk should be updated on this policy and revised Security Incident Reporting Policy
security incidents not recorded. No definitive categorisation of events for ISM. Manager
reporting procedure.

Incident Policy. Incidents are recorded in Secure Works, for ICT events. Other
Information Security Progress Information Security awareness within the
A.13.1.2 Reporting security weaknesses MR 12 Partial security incidents not recorded. No definitive categorisation of events for ISM.
Manager organisation.
Reported to Head of CPI at weekly meeting and to CLT and LT.

A.13.2 Management of information security incidents and improvements

Incident Policy has been adopted and all relevant departments and personnel Information Security Regular awareness training needed as part of the Information
A.13.2.1 Responsibilities and procedures MR 12 Complete Security Incident Reporting Policy
are aware of their responsibilities. Manager Security Group activities.

Information Security
A.13.2.2 Learning from information security incidents MR 12 Partial Not fully implemented. Information Security Group needs to be set-up Set-up the Information Security group
Manager
Information Security
A.13.2.3 Collection of evidence MR 12 Complete Follow procedures as set-up in the policy and CESG guidance (HMG SPF) HMG SPF guidance on security incidents to be implemented.
Manager
A.14 BUSINESS CONTINUITY MANAGEMENT
A.14.1 Information security aspects of business continuity management
Including information security in the business continuity management Information Security The ISM is responsible for communicating information security
A.14.1.1 MR 4 Complete Business Continuity management group co-ordinates Directorate Level BCPs.
process Manager issues with the Business Continuity Group.

Each BCP has Business Impact Analysis to determine prioritisation for recovery Business Continuity The ISM is responsible for communicating information security
A.14.1.2 Business continuity and risk assessment MR 4 Complete
of services with each Directorate. Group issues with the Business Continuity Group.

Developing and implementing continuity plans including information Business Continuity Plans implemented for each Directorate. ICT Continuity Information Security The ISM is responsible for communicating information security
A.14.1.3 MR 4 Complete
security Plan includes BCP site at Stretford. Manager issues with the Business Continuity Group.
All Directorates complete BCP plans as part of the whole BCP for the Authority. Business Continuity The ISM is responsible for communicating information security
A.14.1.4 Business continuity planning framework MR 4 Complete
BCP Review meetings held to co-ordinate plans and testing. Group issues with the Business Continuity Group.

Desktop testing of departmental tests, reviewed regularly. Business Continuity ICT are due to go through testing on the BCS at Stretford S10
A.14.1.5 Testing, maintaining and re-assessing business continuity plans MR 4 Partial
Testing of BCP site not yet complete. Group by the end of 2013.
A.15 BUSINESS CONTINUITY MANAGEMENT
A.15.1 Compliance with legal requirements

Policy Officer now in-place within the CPI directorate.

Authority receives many sources of advice on legislation, which are maintained Communication with this post and the ISM who is chair of the
MR 6 Corporate Planning and
A.15.1.1 Identification of applicable legislation Complete through departments. Currently no central co-ordination of information GMFRS Protective Security Working Group means that all
(HMG IAS 5) Intelligence Dir.
security legislation. relevant legislation will be recorded and implemented in-line
with our new project management methodology.

MR 6 IPR and copyright is maintained through contracts with third parties, in T&Cs Deputy Clerk / Authority
A.15.1.2 Intellectual property rights (IPR) Complete
(HMG IAS 5) of employment, and through control of installed software. Solicitor

MR 6 Important HR and legal documents are kept under strict access control. Corporate Planning and
A.15.1.3 Protection of organisational records Partial ###################################################
(HMG IAS 5) Contracts may be held by departments, with no centralised record. Intelligence Dir.

MR 6 Corporate Planning and

A.15.1.4 Data protection and privacy of personal information Complete Fully registered with the ICO for compliance with the DPA. Data Protection Ofice and SIRO - Paul Sharples, Head of CPI.
(HMG IAS 5) Intelligence Dir.

MR 6 Information Security
A.15.1.5 Prevention of misuse of information processing facilities Complete Acceptable Use Policy Acceptable Use Policy
(HMG IAS 5) Manager

Encryption is standardised across the organisations laptops

and there is an SFTP server in-place as well as secure email
MR 6 Information Security
A.15.1.6 Regulation of cryptographic controls Partial These needs covering in the Encryption Policy. (.cjsm), But not documented
(HMG IAS 5) Manager
Produce an Encryption policy that incorporates laptops,
Winzip, SFTP etc.

Compliance with security policies and standards and technical

A.15.2
compliance

Action the remaining recommendations within the agreed

Wigan MBC provide Internal Audit function for ICT. This does not cover all
A.15.2.1 Compliance with security policy and standards MR 5 Partial ICT timescale.
requirements for the standard.
Report to next Audit and Scrutiny Committee.
 Penn Test scheduled for Dec 2013. To include external firewall
A.15.2.2 Technical compliance checking MR 5 Partial Penetration Testing has been run historically. No recent scan. ICT testing and wireless access.
MDT / airwave CoCo test to be arranged for Sept 2013.
A.15.3 Information systems audit considerations

Change management process is in-place but no evidence that this is followed The Change Management Board needs to be reintroduced to
A.15.3.1 Information systems audit controls MR 5 Partial ICT
as per ITIL recommendations. the organisation.

Active Directory access controls are used and procedures for requesting access
A.15.3.2 Protection of information systems audit tools MR 5 Complete ICT Review schedule needs to be implemented.
is through the ICT SupportWorks Help Desk system

GLOSSARY
39 Partial ISM Information Security Manager
71 Complete CLT Corporate Leadership Team
21 Incomplete ICT Information & Communications Technology
2 N/A HIKM Head of Intelligence & Knowledge Management
CPI Corporate Planning and Intelligence Directorate
133 Control Total RM Risk Manager
DC Deputy Clerk and Authority Solicitor
POD People and Organisational Development
BCG Business Continuity Group.